iPhone 3G S – Hardware Encryption?

As many have noticed, Apple has released their new lineup of laptops, software, OSes, and iPhones. As I watched live coverage of the keynotes on Monday (thanks Gizmodo) – a few things caught my attention when they were speaking about the new iPhone 3G S.
The first thing that caught my eye was the mention of “hardware encryption.” Now, simply mentioning that a device supports hardware encryption can mean a lot of things, and Apple isn’t very clear about what they mean by this. Trying to do some further research didn’t help much either as I only ended up being further confused with all the different mentions of this “hardware encryption.” The official word from Apple is…

iPhone 3G S offers highly secure hardware encryption that enables instantaneous remote wipe. You can even encrypt your iTunes backups.

…according to that, it would sound like the remote wipe is dependent on the hardware encryption, which makes me believe that instead of actually wiping the data (as in a format), it would simply delete the private key – therefore making the data inaccessible. (Since iTunes stores a backup of all your iPhone data at every sync, securing this also seems important.)  This also assumes it’s using a strong form of encryption. I’ve also read in other posts…

…hardware encryption for Exchange users…

…as the listed feature. Does this mean it’s only available through Exchange, and at what level is it being used? Is it only securing your email? We know the iTunes songs and videos are already being encrypted on the device. Is this the same form of encryption they’re talking about?  We’ve asked an insider at Apple to help us out with some of these questions and are still awaiting a response.

All of this brings up major questions about the REAL security behind all these marketing terms. How much do companies actually care about security, and how much do they actually do to help protect their users? Is everything just a marketing ploy these days?

Users were upset about the lack of security in our last model of product X. Let’s add minor revisions and throw some good marketing verbiage in the features list and hope that fixes everything.

Is this how security is being treated? Apple isn’t the only company being vague about these types of issues; it rolls all across the board. They just happen to be the ones asking for the most attention at his current point in time.  Stay tuned as I hope to find and relay some answers to many of these questions as more details are revealed.

Posted June 8 2009

How ATM Skimmers Work

Much like most virtual hacks, some clever people create a very sophisticated tool and a bunch of amateurs (or crime syndicates) use them to commit fraud. Hardware hacks, like this ATM skimmer are generally more difficult to obtain, expensive, and can’t be copied and shared as easily as a computer program.

ATM skimmers like those shown in the video require a camera set up to see you PIN as you enter it. Aside from the obvious advice or not using and ATMs with wires or protruding panels, they recommend shielding the number pad as you enter in your PIN code. I’d add going inside of a bank to withdraw cash when at all possible, but now a days most debit cards double as credit cards and your PIN is pretty useless. The crooks can just take the card number swiped from the magnetic strip to go shopping online or sell to someone else.

Posted April 21 2009

Quantum Cryptography Takes Baby Steps, Not Unbreakable

You may have been reading about the latest advancements in quantum cryptography over the past week. Claims that the technology is unbreakable are unfounded however, if not in least for these theoretical reasons.

  • Quantum Cryptography Will Be Broken With Quantum Technology – Current computing technology uses methodical means to encrypt and decrypt data. Quantum physics doesn’t work sequentially or even follow the laws of classical physics.
    • The first quantum hack will be done with quantum technology.
  • The Human Factor – I always like to think about the “gun to head” method of cracking security. Put a gun to the right person’s head and they’ll tell you whatever you want. Quantum cryptography can be cracked by blackmailing, intimidating, and threatening the right people.
    • Not to mention that people lie, cheat, and steal for money or other personal gains. No technology in the world is immune from people.
  • Maybe God Isn’t Playing Dice – Einstein never believed that quantum physics was random famously saying, “God doesn’t play dice with the universe”. I agree with him, consider it’s just that we don’t completely understand what’s happening to entangled particles – making them seem “magic”.
    • The entire physical universe works according to a set of very well defined laws and rules. Why quantum physics should be an exception is unlikely.
    • If that is the case, quantum cryptography could be unraveled by a brilliant physicist one day.

All of the above is purely theoretical, but you should always be wary of “completely secure”, “unbreakable”, and “perfect security” – because it doesn’t exist. There are other theoretical ways to possibly disrupt or eavesdrop on a quantum message – but again they’re purely theoretical.

Well, so is practical quantum cryptography.

Posted October 9 2008

Networking when it’s not needed

Mark Kahn found out the hard way that even “small” sites will press charges when he hacked into Six Flags’ computer systems. He used a bad form on Six Flags’ job site to submit lots of bogus job applications containing threatening messages. While his stunt did not result in the loss of data, it did annoy some people enough to press charges. What I want to know now, is how well amusement parks’ externally facing websites are separated from the really important computer systems – those that belong to the rides/roller coasters.

I’m speculating here, because I ride coasters a *lot*, and the newer systems are controlled by general purpose computer systems – I’ve seen the Millennium Force at Cedar Point blue screen, and it was built in 1999/2000. I don’t know if these systems are networked at all, but I could see a business use for it: letting people know what rides were having problems, or just generally monitoring the health of each ride. These computer systems (like many at hospitals) control life or death literally, not just storing someone’s personal data. It’s a lot like the pacemakers that are bluetooth controlled. Do we really want to network these devices?

There are arguments on both sides of the fence, and I can see both sides – it’s easier to monitor and make changes (without having to go through surgery again), as well as “but someone could get killed”. Both sides make great cases (someone could die during surgery too), but the networked (whether bluetooth, wi-fi, RF, etc) devices also present the accidental hazard. What if I want to just play around with the bluetooth protocol and start sending garbage to a device I own (say my cell phone), and someone with a new pacemaker just happens to be sitting across the way at the coffee shop?

To network or not network is probably going to be an eternal question, and the answers are going to be different each time we ask that question. It all depends on what risks we’re willing to accept, and what ones we’re not.

Posted August 28 2008

Counterfeit Cisco Routers

This is really bad and scary news. The F.B.I. Says the Military Had Bogus Computer Gear.

[T]he… sinister specter of an electronic Trojan horse, lurking in the circuitry of a computer or a network router and allowing attackers clandestine access or control, was raised again recently by the F.B.I. and the Pentagon.
The new law enforcement and national security concerns were prompted by Operation Cisco Raider, which has led to 15 criminal cases involving counterfeit products bought in part by military agencies, military contractors and electric power companies in the United States. Over the two-year operation, 36 search warrants have been executed, resulting in the discovery of 3,500 counterfeit Cisco network components.

Cisco routers are everywhere. According to Cisco’s web site, “Cisco is the leading supplier of networking equipment and network management for the Internet.” The likelihood that you received this web page over one or more Cisco routers is extremely high.

Also, what if this wasn’t just counterfeiting?

The F.B.I. is still not certain whether the ring’s actions were for profit or part of a state-sponsored intelligence effort.

It’s one thing if largely used networking components get compromised through a flaw to allow “back door”, privilege escalation, or other nefarious access to data which flows across them. It’s an entirely different thing if these devices were (re-)engineered with villainous intentions. Such additions could be nearly impossible to detect. One more quote from the NY Times story:

The threat was demonstrated in April when a team of computer scientists from the University of Illinois presented a paper at a technical conference in San Francisco detailing how they had modified a Sun Microsystems SPARC microprocessor by altering the data file on a chip with nearly 1.8 million circuits used in automated manufacturing equipment…
“It’s very difficult to detect and discover these issues,” said Ted Vucurevich, the chief technology officer of Cadence Design Systems, a company that provides design tools for chip makers. Modern integrated circuits have billions of components, he said: “Adding a small number that do particular functions in particular cases is incredibly hard to detect.”

If this doesn’t give you nightmares, it should.

Posted May 9 2008

Public Key Cryptography could help save chip piracy.

A group of researchers from two universities have proposed a way to prevent chip piracy. The technique uses public key cryptography to lock down circuitry.

In a whitepaper published this month, Jarrod A. Roy and Igor L. Markov (of the University of Michigan) and Farinaz Koushanfar (of Rice University) outline the problem and details of how their proposed technology will help solve the increasing piracy of chip designs.

Markov will present the group’s proposal at the Design Automation and Test in Europe conference, to be held in Germany on March 13, 2008.

It’s a very technical read, but still interesting to see the diversity that public key cryptography can be used for.

Posted March 11 2008